Why are PasswordAuthentication and UsePAM mutually exclusive?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I have a fairly complicated authentication setup on a Suse 9.1 machine,
which runs OpenSSH 3.8p1.  I allow local users to login, I allow LDAP
users to login with kerberos passwords, and I also allow LDAP users to
log in with LDAP passwords.

This setup required me to modify many of the files under /etc/pam.d, so
that both LDAP and kerberos passwords are sufficient for login.

My sshd_config contains these lines:
PasswordAuthentication no
UsePAM yes

With this configuration, most newer SSH clients can connect.  However,
some older clients can't connect, and even some newer clients require
changing an unintuitive setting in order to connect.  For example, newer
ssh.com clients require you to specify 'keyboard-interactive
authentication' instead of 'password authentication', which is very
unintuitive for the user.  Older ssh.com clients do not include the
keyboard-interactive option at all.

If I enable PasswordAuthentication and/or disable UsePAM, no one can
connect using a password, but I do not get any pam error messages in my
log file.  Apparently PasswordAuthentication completely ignores
both kerberos and ldap.

So I guess I have a couple questions:

1) What is sshd trying to authenticate against when PasswordAuthentication
is enabled?  I'm not getting any pam_ldap or pam_krb5 errors in my log
file when that option is enabled, so sshd seems to be completely ignoring
my authentication setup.

2) Why are PasswordAuthentication and UsePAM mutually exclusive?  eg. Why
can't I type in a password when PasswordAuthentication is enabled and have
sshd pass on the password to PAM?

I'd really like to have the maximum compatibility with various ssh
clients, but it doesn't seem like its going to happen unless I can get
PasswordAuthentication and PAM talking to each other.

thanks for any help,
Jim Faulkner

Re: Why are PasswordAuthentication and UsePAM mutually exclusive?

On Wed, 21 Jul 2004 16:08:17 -0400, Jim Faulkner wrote:

Quoted text here. Click to load it

Looks like this will be fixed in the next release:

Jim Faulkner

Site Timeline